Rules engine

Every scan is scored by a versioned rule pack

The full rule pack is public: every rule, its severity, and its detection pattern. Changes are governed — a version bump and a changelog entry are enforced by CI, so the version you see here is the version that scored your scan.

v1.0.2Updated 2026-04-2312 detection rules

Severity weights

Each matched rule adds its severity weight to the risk score. The total is capped at 100.

  • Low
    +10
  • Medium
    +25
  • High
    +50
  • Critical
    +100

Risk bands

The summed score maps to an overall severity band for the whole input.

  • 0 – 19
    Low
    Low signal against the current rule pack.
  • 20 – 49
    Medium
    Meaningful risk signals; review before production.
  • 50 – 79
    High
    Should be treated as blocking until reviewed.
  • 80 – 100
    Critical
    Blocking; strong injection indicators present.

The 12 rules in v1.0.2

Patterns are published deliberately — the pack ships in the public scanner bundle, so transparency costs nothing and lets you audit exactly what each rule matches.

PI-001
High

Direct instruction override attempts

Common pattern in prompt injection attacks attempting to override system instructions

Detection pattern
(ignore|disregard|forget)\s+(?:(?:all|any)\s+)?(previous|prior|above|existing|earlier)\s+(instructions|commands|rules|directives)
PI-002
Critical

System prompt extraction

Attempts to extract system prompts are critical security concerns

Detection pattern
(show|reveal|display|print|output)(?:\s+\w+){0,2}?\s+(your|the)(?:\s+(?:system|original|initial)){1,2}\s+(prompt|instructions)
PI-003
High

Role manipulation

Attempts to redefine AI role or behavior outside of intended use

Detection pattern
(you\s+are\s+now|act\s+as|pretend\s+to\s+be|roleplay\s+as)\s+(a|an)?\s*\w+
PI-004
Medium

Delimiter manipulation

Attempts to manipulate conversation structure delimiters

Detection pattern
(end\s+of|start\s+of)\s+(system|user|assistant|instruction)
PI-005
High

Encoded payload indicators

Encoded content may be attempting to bypass content filters

Detection pattern
(base64|rot13|hex|decode|decrypt)\s*[:\(]
PI-006
Critical

Developer mode activation

Attempts to access privileged or debug modes

Detection pattern
(enable|activate|enter|switch\s+to)\s+(developer|debug|admin|root)\s+(mode|access)
PI-007
Critical

Jailbreak patterns

Known jailbreak pattern attempting to bypass safety guidelines

Detection pattern
(DAN|do\s+anything\s+now|without\s+any\s+rules|unrestricted\s+mode)
PI-008
High

Bypass safety filters

Direct attempts to bypass security controls

Detection pattern
(bypass|circumvent|avoid|disable)\s+(filters?|safety|guidelines|restrictions)
PI-009
Critical

SQL injection patterns

SQL injection attempts in prompt context

Detection pattern
(';|--;|/\*|\*/|xp_|sp_|exec\s*\(|union\s+select)
PI-010
Low

Excessive repetition

Excessive repetition may attempt to confuse or overflow filters

Detection pattern
(\b\w+\b)(?:\s+\1){9,}
PI-011
High

Tool misuse or unauthorized side effects

Attempts to force tool execution or side effects should require explicit operator approval

Detection pattern
(use|run|execute|trigger|call)\s+(?:(?:every|all|available)\s+){0,3}(?:tool|tools|function|functions|command|commands)
PI-012
Critical

Credential or secret phishing

Requests for credentials, reset codes, tokens, or secrets are critical social-engineering indicators

Detection pattern
(ask|request|collect|send|share|reveal)\s+(?:the\s+)?(?:operator|user|customer|admin|person|me)?(?:\s+\w+){0,6}\s+(password|passcode|one-time code|otp|reset code|api key|secret|token|credentials?)

How rules change

  1. Rules live in public/api/scanner/rules/rules.json; every change starts as a pull request.
  2. npm run bump-rules increments the semver version and scaffolds a changelog entry.
  3. CI validates rule structure, severity values, and regex compilation on every rules change.
  4. A second CI check blocks any pull request that modifies rules without a version bump and a real (non-template) changelog entry.

Found an injection pattern the pack misses? Open an issue with the payload shape and expected rule behavior.

Version history

v1.0.22026-04-23
  • Added Rule PI-011: Tool misuse or unauthorized side effects (high) — flags prompts that try to force tool, function, or command execution without operator approval.
  • Added Rule PI-012: Credential or secret phishing (critical) — flags requests for passwords, reset codes, OTPs, API keys, tokens, or other credentials.

Rationale: Extend coverage to tool-forcing and credential-phishing vectors surfaced while expanding the scanner demo corpus. (Backfilled entry: this version shipped in commit `fff7e80` directly on main, bypassing the PR-only changelog check; recorded here to restore the audit trail.)

v1.0.12025-11-07
  • Modified Rule PI-001: Expanded regex to catch "all/any previous" permutations and synonyms so multi-word override attempts are blocked.
  • Modified Rule PI-002: Added tolerance for filler words between leak verbs and pronouns (e.g., "Show me your...") to mirror public jailbreak phrasing.

Rationale: Align coverage with real-world jailbreak transcripts referenced in the CLI test suite.

v1.0.02025-11-06
  • Added 10 core detection rules
  • Coverage areas:
  • Direct instruction override (PI-001)
  • System prompt extraction (PI-002)
  • Role manipulation (PI-003)
  • Delimiter manipulation (PI-004)
  • Encoded payload indicators (PI-005)
  • Developer mode activation (PI-006)
  • Jailbreak patterns (PI-007)
  • Safety filter bypass (PI-008)
  • SQL injection patterns (PI-009)
  • Excessive repetition (PI-010)

Initial Release

Rationale: Establish baseline detection coverage for common prompt injection attack vectors.